Multi-tenant App Registration secret rotation solution

Dan Weinstock 0 Reputation points
2023-03-30T03:51:26.0833333+00:00

Hello,

Context:

  • The team provide security services to multiple customers (multiple tenants)
  • To deploy content into the various tenants we use Azure DevOps with several app registrations per customer (tenant).

Question:

  • We need to rotate credentials across our customer base regularly
  • Ideally want to automate as much of this as possible (for example rotating app registration secrets, storing in key vault, updating Azure DevOps)
  • When we automate this though we still want to minimize the attack surface of the automation and associated app registrations as they have highly privileged permissions.
Azure FastTrack
Azure FastTrack
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.FastTrack: This tag is no longer in use. Please use 'Azure Startups' instead.
74 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,827 questions
{count} votes

2 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,926 Reputation points
    2023-03-30T05:06:42.78+00:00

    Hi Dan,

    If you have multiple clients and have to manage all these customers tenant with security as paramount task, I will suggest you to review Microsoft Lighthouse solution and this is for all the multi tenant deployments check this page - https://learn.microsoft.com/en-us/azure/lighthouse/concepts/cross-tenant-management-experience

    The architecture solution is here - https://learn.microsoft.com/en-us/azure/lighthouse/concepts/architecture

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.


  2. Shweta Mathur 28,106 Reputation points Microsoft Employee
    2023-03-30T06:42:55.0066667+00:00

    Hi @Dan Weinstock

    Thanks for reaching out.

    I understand you are trying to manage credentials automatically for multiple applications registered in multiple tenants.

    We need to rotate credentials across our customer base regularly

    To rotate credentials on a regular basis, you can automate the process of rotating app registration secrets and storing them in Azure Key Vault.

    Reference: https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation

    Azure AD Application Rotator - 3rd party walkthrough

    Ideally want to automate as much of this as possible (for example rotating app registration secrets, storing in key vault, updating Azure DevOps)

    This can be achieved using Azure Managed identities where application or developer can obtain Azure AD token without managing any credentials.

    When we automate this though we still want to minimize the attack surface of the automation and associated app registrations as they have highly privileged permissions.

    To minimize the attack surface of the automation and associated app registrations, you can follow the principle of least privilege and ensure that the app registrations have only the necessary permissions.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments